[00:04.970 --> 00:09.390]  Good morning, good afternoon, good evening, everybody.
[00:10.990 --> 00:16.610]  It is a civic duty that if you see something, you say something.
[00:17.110 --> 00:22.250]  That is the underlying principle behind vulnerability disclosure,
[00:22.250 --> 00:24.570]  which I will talk about today.
[00:24.630 --> 00:28.330]  Give me a second here as I turn on my slide deck.
[00:58.170 --> 01:01.210]  As I said, I'm here to talk about vulnerability disclosure
[01:01.210 --> 01:05.310]  for digital systems in vital use by society,
[01:05.310 --> 01:07.350]  such as voting machines.
[01:08.090 --> 01:12.530]  Vulnerability disclosure is the neighborhood watch of cybersecurity.
[01:12.770 --> 01:15.410]  If you see something, say something.
[01:15.490 --> 01:19.350]  When we surface the bad news to everyone,
[01:19.350 --> 01:21.530]  we can take corrective action.
[01:21.890 --> 01:25.990]  Vulnerability disclosure is the bad news that turns into good news.
[01:25.990 --> 01:28.910]  Weaknesses you don't know of, you cannot fix.
[01:28.910 --> 01:32.590]  When you know of them, you fix them and turn them into good news.
[01:33.370 --> 01:37.270]  There are two critical legal aspects of vulnerability disclosure.
[01:37.670 --> 01:42.470]  Number one, the right for anyone to look for vulnerabilities in systems.
[01:42.650 --> 01:45.830]  And number two, the right to share the findings,
[01:45.830 --> 01:49.270]  not just with the owner of the system, but with the public.
[01:51.600 --> 01:53.440]  My name is Martin Mikkos.
[01:53.440 --> 01:55.500]  I'm the CEO of HackerOne,
[01:55.500 --> 01:58.700]  representing three quarters of a million ethical hackers
[01:58.700 --> 02:00.380]  all over the world.
[02:05.800 --> 02:09.620]  We're here today to talk about voting and voting machines.
[02:10.080 --> 02:15.410]  And if you look at the word vote and the Latin translation of it,
[02:15.800 --> 02:21.920]  it is the decision-making atom of nations and societies,
[02:21.920 --> 02:24.520]  and has been so for thousands of years.
[02:25.080 --> 02:29.360]  We have built our countries and our nations based on voting systems.
[02:29.620 --> 02:32.500]  It is a fundamental piece of democracy.
[02:32.500 --> 02:38.000]  And throughout history, we've made good use of the latest innovations,
[02:38.000 --> 02:42.660]  such as paper, to build mechanisms and systems for voting.
[02:42.940 --> 02:48.020]  But tragically, today, we have a world with digital capabilities
[02:48.020 --> 02:50.680]  beyond our wildest dreams.
[02:51.100 --> 02:55.220]  Yet, we have been unable to construct reliable and trustworthy
[02:55.220 --> 02:57.480]  digital voting systems.
[02:57.600 --> 02:59.220]  What's wrong here?
[02:59.220 --> 03:01.540]  How could we allow this to happen?
[03:01.540 --> 03:04.040]  And what is the fix?
[03:06.400 --> 03:09.380]  There's a logical conclusion that has been missing.
[03:09.480 --> 03:14.180]  If you believe in democracy, with one person, one vote,
[03:14.180 --> 03:17.100]  and if you do believe in the freedom of speech,
[03:17.100 --> 03:21.440]  which the U.S. does by means of its First Amendment,
[03:21.440 --> 03:24.420]  there's just one logical conclusion for voting machines
[03:24.420 --> 03:26.160]  and voting technology.
[03:26.320 --> 03:29.060]  You must believe in vulnerability disclosure,
[03:29.060 --> 03:33.760]  meaning the practice of inviting external, unbiased people
[03:33.760 --> 03:37.940]  to test the security and validity of the system.
[03:38.000 --> 03:42.320]  If you don't believe in this form of external and public scrutiny,
[03:42.320 --> 03:46.220]  you are not believing in democracy or freedom of speech.
[03:48.460 --> 03:53.140]  Let us think about how computer systems come to be.
[03:53.440 --> 03:57.560]  Somebody designs a system, the design is approved,
[03:57.560 --> 04:01.060]  product is developed and built, and it is tested.
[04:01.800 --> 04:06.280]  To make something truly secure and worthy of the trust of everyone,
[04:06.280 --> 04:10.180]  we must design security in from the start.
[04:10.560 --> 04:13.260]  Security must be there from the get-go.
[04:13.920 --> 04:18.280]  If you bolt it afterwards as an afterthought, it will never work.
[04:18.760 --> 04:22.200]  It must be there. Security must be there from the first blueprint.
[04:23.280 --> 04:27.540]  Then, secondly, once the system is ostensibly ready for public use,
[04:27.560 --> 04:33.960]  you must turn around and let it undergo external, unbiased and unlimited vetting.
[04:33.960 --> 04:37.900]  Now an inside-outside-in view is needed.
[04:39.240 --> 04:42.380]  Journalists don't see their own typos.
[04:42.460 --> 04:45.200]  Bookkeepers can't see their accounting mistakes.
[04:45.200 --> 04:48.380]  So we need proofreaders and we need auditors.
[04:48.460 --> 04:53.420]  These people come in with a fresh, objective mind and no bias of ownership.
[04:53.420 --> 04:58.600]  They spot the flaws quickly and the flaws can be fixed.
[04:58.840 --> 05:00.840]  It's the same with software.
[05:00.900 --> 05:06.600]  We must subject software to external scrutiny by people who we do not personally know.
[05:06.860 --> 05:13.620]  Ethical hackers, white hats, security researchers, they come by many names, but it is the same thing.
[05:13.720 --> 05:17.740]  They are masters of detecting flaws in systems built by others.
[05:17.860 --> 05:22.140]  Hackers are the best mechanism for finding vulnerabilities so they can be fixed.
[05:22.140 --> 05:27.400]  In essence, hacking is the immune system of the Internet.
[05:27.920 --> 05:29.600]  They are a vaccine.
[05:30.120 --> 05:34.000]  They can think like an adversary, but they act in your benefit.
[05:35.040 --> 05:43.430]  Too often, however, the simple principle of security designed from the inside-out and tested from the outside-in is not used.
[05:43.430 --> 05:56.210]  We have voting machine bugs that have been known for several election cycles and are still there, unfixed, out there in the wild, ready to be exploited by people who do not believe in democracy.
[05:56.330 --> 05:59.650]  We must fix this simple but fatal problem.
[06:00.530 --> 06:10.490]  Governments should mandate vulnerability disclosure for every manufacturer and vendor of technology used for voting or any other vital societal function.
[06:10.490 --> 06:16.550]  It's that easy and it's difficult, but yet it's easy and we should make that decision.
[06:18.270 --> 06:21.450]  The principles I'm talking about here are not new.
[06:21.450 --> 06:37.110]  Over 100 years ago, there was a Dutch scientist by the name of Kirchhoffs who postulated that when you are building a system intended to be safe and secure and maybe protect secrecy, the mechanism of the machine need not be kept secret.
[06:37.110 --> 06:47.910]  On the contrary, if you make the blueprint open for anybody to test and study and vet, you have a better chance of making a secure system than if you don't.
[06:47.910 --> 06:52.690]  It's only the keys that need to be secret, but not the mechanism of the system.
[06:53.070 --> 06:58.250]  This is an important principle of openness of design that leads to better security.
[06:59.190 --> 07:04.950]  Much later, a man called Shannon wrote the corollary of Kirchhoffs' principle.
[07:04.950 --> 07:10.070]  He said, you must assume that your enemy will learn how your system was built.
[07:10.570 --> 07:17.910]  Share the design with everybody and in that way you share it also with the good people who will help fix it, who will help improve it.
[07:18.110 --> 07:25.970]  And by the way, there are many, many more good people than bad people in the world, maybe at a ratio of a thousand to one.
[07:27.410 --> 07:44.770]  So to repeat and summarize, if we have a commitment to govern our nation so that every person has one vote, it logically follows that we must let each such person conduct their own validation of the system, the system of voting being used.
[07:44.810 --> 07:49.130]  It's a very simple principle and it is very powerful.
[07:49.370 --> 07:52.350]  Public scrutiny makes every system better.
[07:52.350 --> 08:00.630]  The only reason to object to this principle would be extreme greed or disdain for democracy.
[08:02.250 --> 08:07.730]  If we look at what's going on in society at large, it's in much better shape.
[08:07.730 --> 08:19.940]  The National Institute of Science and Technology has long published the cybersecurity framework with very good advice and recommendations for large organizations.
[08:20.370 --> 08:24.130]  And they define what vulnerability disclosure means.
[08:24.130 --> 08:35.770]  They say, you need to have processes established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources.
[08:35.770 --> 08:40.730]  Such as internal testing, security bulletins or security researchers.
[08:41.250 --> 08:47.670]  When you follow the cybersecurity framework from NIST, your organization will be in much better shape.
[08:49.820 --> 08:53.200]  The Department of Defense fully embraces this.
[08:53.300 --> 09:01.620]  And they are, the Pentagon, by definition, have some of the most sensitive, secure, secretive, vital systems in the world.
[09:01.620 --> 09:10.420]  And they have realized that to be fully secure, they need the help of the outside world, of hackers whom they don't even individually know.
[09:10.420 --> 09:14.920]  But to help them report vulnerabilities so that the DOD can fix it.
[09:14.920 --> 09:22.340]  They've been running a vulnerability disclosure program for over four years by now with amazing results, fantastic results.
[09:24.360 --> 09:34.740]  The Department of Homeland Security, DHS, finds vulnerability disclosure so important that they are preparing a binding operational directive about it.
[09:34.740 --> 09:41.140]  Under this BOD, civilian federal agencies will be required to invite good hackers to hack them.
[09:41.500 --> 09:44.520]  It's the only logical thing to do in a democracy.
[09:44.520 --> 09:50.260]  And it will improve the cybersecurity of all systems and increase trust among citizens.
[09:52.340 --> 10:03.800]  And hot from the press, just in the last few days, the CISA agency within DHS delivered a terrific guide for election administrators.
[10:03.820 --> 10:08.740]  The guide is called Guide to Vulnerability Reporting for America's Election Administrators.
[10:08.940 --> 10:22.080]  And they say in their foreword that election administrators should know that the cybersecurity research community can help ensure these systems are safe so that the choices of the voting public can be clearly heard.
[10:22.340 --> 10:30.780]  This guide offers a step-by-step guide for election administrators who seek to establish a successful vulnerability disclosure program.
[10:32.920 --> 10:41.240]  Looking more broadly and into the future, I see three principles that will enable us to establish a true digital civilization.
[10:41.380 --> 10:49.740]  One that actually works. A society that is well governed by digital mechanisms and which citizens can trust.
[10:49.740 --> 10:58.720]  First, it will be seen as negligence to ignore the useful input from external security researchers. Yes, negligence.
[10:58.720 --> 11:06.620]  Meaning you would be stupid not to listen to the amazing advice and input and vulnerability reports that you can get from the outside.
[11:06.940 --> 11:11.620]  Number two, cybersecurity will be a collaborative effort.
[11:12.020 --> 11:18.640]  With organizations pooling their defense to provide formidable obstacles to the adversaries.
[11:18.640 --> 11:27.860]  And we have learned over thousands of years that whenever we face an asymmetric threat, the best defense is pooled defense. So we must do it.
[11:28.460 --> 11:38.420]  Thirdly, the only way for any organization to achieve trust by customers, consumers, or citizens is through transparency.
[11:38.680 --> 11:47.420]  Openness. By sharing vulnerability information and cybersecurity policies and practices publicly and with each other, trust will grow.
[11:50.810 --> 11:59.470]  In summary, we have a system here for vulnerability disclosure where if you see something, you say something.
[11:59.470 --> 12:10.070]  It has been rejected and avoided by many vendors, but it is the only practical thing to do in order to increase the security of any computer system.
[12:10.450 --> 12:19.100]  Two legal rights are important here. The rights for the ethical hackers to do the testing and the rights for them to disclose their findings.
[12:19.720 --> 12:27.540]  We know what to do. We should have done it a long time ago. We are tragically delayed. We just have to make the decision and start going.
[12:27.660 --> 12:32.940]  We must listen to hackers. We must work together collaboratively on the defenses.
[12:33.240 --> 12:41.340]  And we must build openness into the area of cybersecurity, sharing what we are finding, sharing the vulnerabilities and our fixes.
[12:41.340 --> 12:48.160]  Because that is the only way to build trust with our citizens and with our constituent groups.
[12:48.160 --> 12:54.900]  And when we do that, we will truly build a society that can function well in the digital world.
[12:55.860 --> 12:58.060]  Thank you for listening to me today.
